Aws on Moos3http://blog.guthnur.net/tags/aws/
Recent content in Aws on Moos3Hugo -- gohugo.ioen-usAll rights reserved - 2015Fri, 16 Sep 2016 16:19:59 -0400How to Setup Google SSO and AWShttp://blog.guthnur.net/aws-google-sso/
Fri, 16 Sep 2016 16:19:59 -0400http://blog.guthnur.net/aws-google-sso/
<p>This article contains the files needed to wire up our Google Apps SSO to aws. Enorder to setup the AWS sso in additional accounts you will need the following tools:</p>
<ul>
<li>Aws Account keys with Admin access</li>
<li>Google Admin access</li>
<li>aws cli tools</li>
</ul>
<h2 id="setup-google-apps">Setup Google Apps</h2>
<p>First we will need to setup a Custom Schema element to hold role information for our users. By default, when you map attributes for SAML apps the pass Role to AWS you&rsquo;ll only be able to select from existing attribute on your users.
Examples include Job Title, Cost Center and Department. I&rsquo;ve seen other articles that mention putting a signle role ARN in one of these but it&rsquo;s really not suitable for that information (especially if you use those fields already).</p>
<h4 id="the-solution-is-to-setup-a-custom-attribute-https-support-google-com-a-answer-6327792-hl-en-for-your-users">The Solution is to setup a <a href="https://support.google.com/a/answer/6327792?hl=en">Custom Attribute</a> for your users.</h4>
<ul>
<li>Open the <a href="https://developers.google.com/admin-sdk/directory/v1/reference/schemas/insert#try-it">Schema Insert Page</a> in Google Admin Console</li>
<li>Enter <code>my_customer</code> in <code>customerId</code></li>
<li>To the right of the Request Body, select <code>FreeForm Editor</code> from the dropdown list and then pase the following (schemaName should be either SSO or AWS_SAML):</li>
</ul>
<pre><code>{
&quot;fields&quot;:
[
{
&quot;fieldName&quot;: &quot;role&quot;,
&quot;fieldType&quot;: &quot;STRING&quot;,
&quot;multiValued&quot;: true,
&quot;readAccessType&quot;: &quot;ADMINS_AND_SELF&quot;
}
],
&quot;schemaName&quot;: &quot;SSO&quot;,
}
</code></pre>
<ul>
<li>Then Click <code>Authorize and Execute</code></li>
</ul>
<h4 id="setup-the-google-apps-saml-app-for-aws">Setup the Google Apps SAML App for AWS</h4>
<p>You&rsquo;ll need to configure your Google Apps account as a identity provider (or IdP) for AWS to use.</p>
<p>Google has written some pretty good instructions for this <a href="https://support.google.com/a/answer/6194963?hl=en">here</a>. Go check them out and run though them then come back here or follow my brief instructions below:</p>
<ol>
<li>Login into your Google Apps Admin Console</li>
<li>Head to the <code>Apps</code> Section then <code>SAML Apps</code></li>
<li>Click <code>Add a Service/App to your domain</code></li>
<li>Select <code>Amazon Web Services</code></li>
<li>Click the <code>Download</code> button next to the <code>IDP Metadata</code> and save it somewhere for later</li>
<li>If you want to change the Application Name, Description and Logo, otherwise continue on</li>
<li>Setup the Service Provider Details</li>
<li>Make sure the <code>ACS URL</code> and <code>Entity ID</code> are set to <code>https://signin.aws.amazon.com/saml</code></li>
<li>Also make sure the <code>Start URL</code> is blank and the <code>Signed Response</code> is unchecked.</li>
<li>You&rsquo;ll want the <code>Name ID</code> to be mapped to <code>Basic information: Primary Email</code></li>
<li>Set the Attribute mapping up with the following:</li>
<li><code>https://aws.amazon.com/SAML/RoleSessionName: Basic Information: Primary Email</code></li>
<li><code>https://aws.amazon.com/SAML/Role : SSO : Role</code></li>
<li>Click Finish</li>
<li>Turn the App on, by clicking on the settings button, then <code>Turn ON for everyone</code> Confirm the dialong when asked</li>
</ol>
<h2 id="setting-up-the-idp-in-aws">Setting up the IdP in AWS</h2>
<p>You&rsquo;ll need to tell AWS that you want to use the GoogleApp you just set up as a IdP.
You can do that with the command below:</p>
<pre><code># aws iam create-saml-provider --saml-metadata-document file://GoogleIDPMetadata-yourdomain.xml --name GoogleAppsProvider
{
&quot;SAMLProviderArn&quot;: &quot;arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider&quot;
}
</code></pre>
<p>Make sure you substitute <code>GoogleIDPMetadata-yourdomain.xml</code> with the path to the IDP metadata file you downloaded earlier.</p>
<p>This will spit out a response with the ARN of the identity provider you created, so make sure you note this down for later.</p>
<p>####Create Some Roles
1. You&rsquo;ll need to first craft a Trust Policy document to be used with the roles you&rsquo;ll create. Create a new file called <code>GoogleApps_TrustPolicy.json</code> with the following contents:</p>
<pre><code>{
&quot;Version&quot;: &quot;2012-10-17&quot;,
&quot;Statement&quot;: [
{
&quot;Effect&quot;: &quot;Allow&quot;,
&quot;Principal&quot;: {
&quot;Federated&quot;: &quot;&lt;Replace Me with your IdP ARN&gt;&quot;
},
&quot;Action&quot;: &quot;sts:AssumeRoleWithSAML&quot;,
&quot;Condition&quot;: {
&quot;StringEquals&quot;: {
&quot;SAML:aud&quot;: &quot;https://signin.aws.amazon.com/saml&quot;
}
}
}
]
}
</code></pre>
<p>Make sure you replace <code>&lt;Replace Me with your IdP ARN&gt;</code> with the ARN of the identity provider you created earlier.</p>
<ol>
<li>Run the following command to create the role. Note down the ARN that is returned as we&rsquo;ll need it later</li>
</ol>
<pre><code># aws iam create-role --role-name GoogleAppsAdminDemo --assume-role-policy-document file://GoogleApps_TrustPolicy.json
{
&quot;Role&quot;: {
&quot;AssumeRolePolicyDocument&quot;: {
&quot;Version&quot;: &quot;2012-10-17&quot;,
&quot;Statement&quot;: [
{
&quot;Action&quot;: &quot;sts:AssumeRoleWithSAML&quot;,
&quot;Effect&quot;: &quot;Allow&quot;,
&quot;Condition&quot;: {
&quot;StringEquals&quot;: {
&quot;SAML:aud&quot;: &quot;https://signin.aws.amazon.com/saml&quot;
}
},
&quot;Principal&quot;: {
&quot;Federated&quot;: &quot;arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider&quot;
}
}
]
},
&quot;RoleId&quot;: &quot;AROAIYGHGSVXXXXXXXXXX&quot;,
&quot;CreateDate&quot;: &quot;2016-03-10T12:19:31.177Z&quot;,
&quot;RoleName&quot;: &quot;GoogleAppsAdminDemo&quot;,
&quot;Path&quot;: &quot;/&quot;,
&quot;Arn&quot;: &quot;arn:aws:iam::123456789012:role/GoogleAppsAdminDemo&quot;
}
</code></pre>
<ol>
<li>At this stage, I&rsquo;ve not attached any permissions to the role - you can read how to do that <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html#d0e18315">here</a></li>
</ol>
<h3 id="add-some-roles-to-your-google-apps-users">Add some roles to your Google Apps Users</h3>
<ol>
<li>Open the <a href="https://developers.google.com/admin-sdk/directory/v1/reference/users/patch#try-it">Patch Users Page</a> in the Google Admin Console</li>
<li>In the <code>userKey</code> put the email address of the user you want to update</li>
<li>To the right of the Request body, select <code>Freeform Editor</code> from the drop down list, and paste the following text, replace, and with the appropriate values you&rsquo;ve collected before</li>
</ol>
<pre><code>{
&quot;customSchemas&quot;:
{
&quot;SSO&quot;:
{
&quot;role&quot;: [
{
value: &quot;&lt;role ARN&gt;,&lt;provider ARN&gt;&quot;,
customType: &quot;SSO&quot;
}
]
}
}
}
</code></pre>
<p>Mine looked something like this (with two roles):</p>
<pre><code>{
&quot;customSchemas&quot;:
{
&quot;SSO&quot;:
{
&quot;role&quot;: [
{
value: &quot;arn:aws:iam::123456789012:role/GoogleAppsAdminDemo,arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider,
customType: &quot;SSO&quot;
},
{
value: &quot;arn:aws:iam::123456789012:role/GoogleAppsUserDemo,arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider,
customType: &quot;SSO&quot;
}
]
}
}
}
</code></pre>
<ol>
<li>Click <code>Authorize and Execute</code></li>
</ol>
<h3 id="test-it-out">Test it out</h3>
<p>Open your Google Apps account and then select the <code>Amazon Web Services</code> app. It should redirect you on to a page that lets you select Role to login with (only if you multiple Roles) otherwise it will just bring you to the AWS Console Homepage.</p>
AWS VPC VPN connection to Linode with GRE Tunnelshttp://blog.guthnur.net/aws-vpc-vpn-linode-gre/
Wed, 15 Jun 2016 15:11:09 -0400http://blog.guthnur.net/aws-vpc-vpn-linode-gre/
<p>So we have started to migrate from <a href="https://www.linode.com">Linode</a> to <a href="https://aws.amazon.com">Amazon Aws</a> at work. We are using a specialized AWS VPC design to make our infrastructure faster and strong then we could at linode. Also more secure. One of the major issues had to overcome is the lack of being able to directly connect aws to linode and linode to aws. So with some magic and special sauce we was able to come up with the following solution.</p>
<p><strong>RACOON + QUAGGA + GRE TUNNELS == FTW</strong></p>
<p>So first you if your on linode you will need to make sure you do the following steps that will not be covered by this tutorial. One is get on the generic kernel and not the custom linode kernels. Second you will need to make sure you setup your VPC VPN configuration. I suggest you follow the following tutorial by <a href="https://medium.com/@silasthomas/aws-vpc-ipsec-site-to-site-vpn-using-a-ubiquiti-edgemax-edgerouter-with-bgp-routing-37abafb950f3#.o1n31p7em">Medium AWS VPC VPN with BGP</a> It&rsquo;s important that you follow the steps and download the generic configuration. You will need this later on in the tutorial. I am also assuming that you have multiple machines in Linode and they are debian/ubuntu based. You will want to spin up a box that will be labeled as your AWS gateway.</p>
<h4 id="racoon-setup">Racoon Setup</h4>
<p>You will need to install racoon first. Using <code>apt-get install ipsec-tools racoon</code> if your runing RHEL based or BSD based you will need to google how to install racoon and ipsec-tools.</p>
<h4 id="quagga-setup">Quagga Setup</h4>
<p>You will need to install quagga first. Using <code>apt-get install quagga</code> if your running RHEL based or BSD based you will need to google how to install quagga.</p>
<h3 id="configuration-of-racoon-and-quagga">Configuration of Racoon and Quagga</h3>
<p>Lucky enough I have written a script to make this a lot easy for you :) The following script will generate the racoon and quagga configuration for you.</p>
<script src="//gist.github.com/moos3/36c5bfc36e084e8c4ca18f44eb6f8292.js"></script>
<p>To run this script you are going to want to make sure you have copied your generic configuration text file to the machine your going to set up as your AWS VPC VPC gateway. Then edit this script and set the following Varaiables</p>
<script src="//gist.github.com/moos3/bffb716f8add396fb6400868b77e754b.js"></script>
<p>Once you have those set run the script like such <code>./vpnsetup.sh aws-configuration.txt</code> Sit back and wait for it to parse and run. To check if it came up look at the following logs /var/log/quagga/bgp.log and if its successful you should see output like so:</p>
<script src="//gist.github.com/moos3/6bd0956e53d19479607825b8984eff35.js"></script>
<p>If you have a node in your VPC you should be able to ping it from this box. Now you have successfully setup BGP and IPSEC on linux :) If you dont see this in your logs, then check the following things your BGP_ID vaule, or that your ipsec has come up. Use this command to check your racoon <code>racoonctl show-sa ipsec</code></p>
<p>###GRE setup and configuration
So the second part of this is to make other nodes talk to the AWS nodes from inside of linode. We will use GRE for this. First thing is to edit <code>/etc/modules</code> and insert ip_gre in the file so the kenerl will load it up. Next you are going to want to pick a subnet size that will fit what your trying to do. I would stick with something not bigger than a /26. For this example we are going to use 10.10.0.0/26 for our GRE network. So in this example we will use two boxes to get started. I recommend that you use the following for box A (aws vpn gateway box)</p>
<p>Remote needs to be set to the ip address of the box on the other end. Local is the local ip of box your adding the tunnel to.</p>
<p>AWS vpn gateway box:</p>
<pre><code>ip tunnel add gre-client mode gre remote 192.168.1.34 local 192.168.0.24 ttl 255
ip link set gre-client up
ip link set gre-client multicast on
ip addr add 10.10.0.1/26 broadcast 10.10.0.63 dev gre-client
</code></pre>
<p>Client box that needs to connect to aws:</p>
<pre><code>ip tunnel add gre-vpn remote 192.168.0.24 local 192.168.1.34 ttl 255
ip link set gre-vpn up
ip link set gre-vpn multicast on
ip addr add 10.10.0.2/27 broadcast 10.10.0.63 dev gre-vpn
</code></pre>
<p>Next you will need to add route on the client side that tells it how to route traffic for your aws network to the aws vpn gateway.</p>
<pre><code>ip route add 172.16.0.0/16 via 10.10.0.1
</code></pre>
<p>Then on the AWS vpn gateway box we will need to update iptables with a SNAT rule. That will look like this</p>
<pre><code>iptables -t nat -A POSTROUTING --src 10.10.0.0/26 --dst 172.16.0.0/16 -j SNAT --to-source 169.254.44.42
</code></pre>
<p>The important part here is that the dst is set to your aws vpc network and that to-source is the box which is running the bgp service. You can find this ip address in the logs for quagga looking for Zebra rcvd command.</p>
<pre><code>2016/06/15 17:13:37 BGP: Zebra rcvd: interface eth0 address add 169.254.44.234/30
2016/06/15 17:13:37 BGP: Zebra rcvd: interface eth0 address add 169.254.44.42/30
</code></pre>
<p>Now you should be able to ping or traceroute to your AWS nodes in the vpc. If you can do this then your golden. Some things you might try if this doesn&rsquo;t work. One add the following iptables rule in <code>iptables -A FORWARD -j LOG</code> and this will log all the forwarded traffic. Two make sure that forwarding is on in sysctl.conf on both the gateway and client.</p>
<p>Happy BGP&rsquo;ing and GRE routing around a limitation on Linode. You could use this in many applications not just linode. Also a good read on GRE see <a href="http://bjornruud.net/2011/02/gre-tunnel-with-multicast-support.html">GRE Tutorial</a>.</p>